8 Tough Questions Every CISO Should Be Ready to AnswerPreparing for Difficult Inquiries From the CEO
When a major security incident, such as the recent massive Equifax data breach, grabs headlines, CEOs start asking more questions about data security.
CISOs need to be thinking about their answers to critical questions the CEO is likely to pose.
Information Security Media Group asked seven security experts what questions they believe CEOs should be asking CISOs, and what information CISOs should arm themselves with to be prepared to provide answers. Following are eight questions and the experts' suggested responses.
1. We have been investing in cybersecurity for a few years now. Would you say our organization is secure?
Israel Bryski, vice president, technology risk, Goldman Sachs: To pre-empt this question, the CISO should have a conversation early on with the CEO to determine the organization's risk appetite. This will allow the CISO to align and prioritize security initiatives accordingly.
We are in the business of information and technology risk management, so the "Are we secure?" question is somewhat misguided. The question should be: "Are we managing risk according to our risk profile?" To answer this, the CISO should be able to easily demonstrate, based on a recent risk assessment, how the various cybersecurity initiatives and projects are in fact reducing risk, shrinking the attack surface of the organization and aligning the security program with the firm's overall risk profile.
2. We have a board meeting next week. Can you talk about cybersecurity in a way they will understand?
Mischel Kwon, former director of US-CERT and deputy CISO for the Department of Justice; currently CEO of MKACyber: CISOs should be able to confidently say "absolutely" to this question. They should be able to speak with the board in a very businesslike way and articulate what they are doing with the company's money and how they are protecting the company and its assets.
The key to being able to speak to the board is to base their program on a business-focused model. That business model shows their capability founded on their maturity, and that maturity is based on the probability of detecting specific types of attacks. These are the type of attacks that are most likely to happen to them, and this is the risk to the business, its goals and its reputation that these attacks bring.
3. Do you have enough money to do what you need to do?
Tim Youngblood, CISO, McDonald's: Depending on where CISO sits, this can be a hairy topic. That can be a difficult conversation to say "I'm not getting enough." It's not easy if the CIO is in the room.
The best way to answer that is, "We may have current risks we are really well-funded to address, but there may be future risks we'll need to fund and we still have some work to figure that piece out."
A CEO is not going to write you a blank check. The CEO is going to look at the CFO and CIO and say, "The CISO needs money. You take it out of your budget and make it happen." There is not an extra pot of money waiting for anyone, so making the clear case for why it is needed is key.
4. Is this really worth the investment?
Heath Renfrow, CISO at U.S. Army Medicine: The best thing a CISO can do when asked this question is have multiple options they can present to the CEO. Explain to them: Here's the full issue. This is the total cost to fix this issue. This is what we believe the cost will be if this issue doesn't go away and how much it will be should the vulnerability be exploited.
As an example, we didn't know not know where our protected health Information and personal identifying information resided across all systems when I first got to Army Medicine. It would be a huge HIPAA concern if we got hit on that, or if there was a leak or a violation. It could have cost millions of dollars and many jobs. I tied in the overall cost and broke it down to how much it would be per end-user device to address it and it came out to be an about $3.43 per end-user device. Then I tied in all the results of HIPAA violations in the past few years and the fines associated with them. You get your senior leaders attention real quick with that approach.
Rick Howard, CSO, Palo Alto Networks, adds: Questions like this are sure to arise as corporate leadership attempts to understand the business risk associated with a cyberattack. As a result, CIO/CISOs should be prepared to explain the total cost of a potential breach. Everything from business disruption and loss of customers to consequential legal fees and remediation can rack up the bill more quickly than leadership may realize.
5. Are we there yet?
Youngblood: The CEO may often wonder when are you going to stop spending money. This is a tough one because the CISO can't definitively answer that. Because in order to stop spending, you'd need not to have risk. And there isn't a CISO in the world that answer that question and say "We'll have no more risk in the future" unless they unplug form the internet.
This is where the CISO has to use a framework and translate to the c-level. Say something like, "We're really good at access control or identity management, but we have some big gaps on endpoint devices we haven't addressed yet. We are very immature in that and we need to continue to address that."
If the CEO can at least see a framework that is being developed, that gets them more comfortable and they can at least see where money is going and I understand why it's going there.
6. What metrics or KPIs do you use to measure security effectiveness?
Rafal Los, cybersecurity strategist, consultant and managing director, solution & program insight, Optiv, a security solutions provider: I always suggest that a measure of security's performance to the business includes two key factors. The first of these two factors is productivity. Poor security practice decreases productivity while increasing security. Good security practice increases productivity while increasing security.
The second of these two factors is recovery. Every organization will suffer some sort of computer security-related incident. There are no exceptions. The recovery time for these security incidents is heavily dependent on whether security is a partner with the business, or simply just another outside force. Well-integrated, well-operationalized organizations recover quickly not just from a productivity perspective but from also from the shareholder perspective.
Palo Alto Network's Howard adds: The core objective of the CSO/CISO is to prevent material impact to the organization. You can't define that in terms of ROI because protecting the enterprise isn't going to bring in any money. Rather, I would advise CSO/CISOs to calculate and present the potential cost of a hypothetical breach if leadership fails to properly invest in security.
7. When were we breached?
Geoff Webb, vice president, strategy, Micro Focus, a software solutions firm: The most powerful and direct question a CEO can ask a CISO is simply "When were we breached?" Not, "Have we been breached?" or "What's our risk of a breach?" This is important - a good CISO starts their day assuming that they are already breached and works accordingly. CEOs need to start to do the same.
In response, the CISO needs to be able to evaluate and communicate what the most likely point of breach was and to what extent damage has been done. The key here is to force the security organization from a model of "strength" to one of "resilience." Being breached happens to many organizations, but the real damage accumulates over time. So rather than focusing security efforts on hoping attackers can be kept out, the mindset of the organization needs to shift to responding more rapidly to a breach before any meaningful damage is done.
Asking "When were we breached?" forces that mindset, and it also opens up the communication by removing the association of being breached with a failure of security.
8. What else would you like me to know?
Webb: As a discipline, security is moving fast, and the CEO needs to understand that the business impact of security and compliance changes can be dramatic. Engaging in a healthy dialogue with the CISO over the nature of security and compliance is essential. I've seen too many instances in which the CISO is given a short window to communicate to the board the status of security - and as long as nothing is on fire today, the conversation moves on.
Instead, the CEO needs to lead the business management in actively enquiring into emerging risks. Who is in charge of our General Data Protection Regulation initiative and what risks are we running? What's the status of our infrastructure and what is the risk from ransomware? And so on. As businesses move to be increasingly digital, the status of information security moves from a technical issue to an area of core business impact, and CEOs need to foster the conversation in terms of understanding business risk and the impact of the changing security landscape on it.